Subordinate CA issues on Win2k3 sp1 Standard Edition

Giganews Newsgroups
Subject: Subordinate CA issues on Win2k3 sp1 Standard Edition
Posted by:  graydo64 (person…@graemewilson.eu)
Date: 2 Feb 2007

We're trying to set up a PKI for the first time and although the
installation went OK we're now not able to issue any certificates.
All our DCs are 2k3 sp1.  Our root CA is on 2k3 sp1 and is
standalone.  We have one subordinate CA running on a non-DC machine
that is w2k3 sp1 standard edition.

I've found a number of articles mentioning that v2 certificates can
only be issued by an enterprise edition server - does that mean we
can't issue any certificates from our subordinate CA as all of the
certificate templates in AD seem to be v2?

The subordinate CA's event log shows a number of event id 53s -
request denial but more worryingly a lot of event 77s at service
startup:

The "Windows default" Policy Module logged the following warning: The
Administrator Certificate Template could not be loaded.  Element not
found. 0x80070490 (WIN32: 1168).

If I run

certutil -template

I get 'Access is denied' on all templates.  Even worse when one of our
Enterprise Admins tries to modify the permissions on the templates
using the AD Sites and Services snap-in we also get an Access is
denied error.

It's a bit of a mess in short - any suggestions would be appreciated.

thanks,

Graeme.

Replies